sigmac: improved Kibana backend

* added fields from rules * default index if none is matching
2017-09-16 00:37:16 +02:00
parent d3201229b0
commit c8a66e48b6
1 changed files with 16 additions and 2 deletions
@@ -274,9 +274,23 @@ class KibanaBackend(ElasticsearchQuerystringBackend):
                description = sigmaparser.parsedyaml["description"]
            except KeyError:
                description = ""
-            
+
+            columns = list()
+            try:
+                for field in sigmaparser.parsedyaml["fields"]:
+                    mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field)
+                    if type(mapped) == str:
+                        columns.append(mapped)
+                    elif type(mapped) == list:
+                        columns.extend(mapped)
+                    else:
+                        raise TypeError("Field mapping must return string or list")
+            except KeyError:    # no 'fields' attribute
+                pass

            indices = sigmaparser.get_logsource().index
+            if len(indices) == 0:
+                indices = ["logstash-*"]
            for index in indices:
                if len(indices) > 1:     # add index names if rule must be replicated because of ambigiuous index patterns
                    rulename += "-" + indexname
@@ -290,7 +304,7 @@ class KibanaBackend(ElasticsearchQuerystringBackend):
                            "title": title,
                            "description": description,
                            "hits": 0,
-                            "columns": [],   # TODO: add columns used in search
+                            "columns": columns,
                            "sort": ["@timestamp", "desc"],
                            "version": 1,
                            "kibanaSavedObjectMeta": {